From 4f94886884b47e19f16da5b987ef1a740b29456e Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Fri, 31 Aug 2018 11:12:30 +0300
Subject: banned user messages are not visible to others

---
 .../main/java/com/juick/service/MessagesServiceImpl.java |  5 +++--
 .../test/java/com/juick/server/tests/ServerTests.java    | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

(limited to 'juick-server/src')

diff --git a/juick-server/src/main/java/com/juick/service/MessagesServiceImpl.java b/juick-server/src/main/java/com/juick/service/MessagesServiceImpl.java
index e2958112..c86e3736 100644
--- a/juick-server/src/main/java/com/juick/service/MessagesServiceImpl.java
+++ b/juick-server/src/main/java/com/juick/service/MessagesServiceImpl.java
@@ -450,7 +450,7 @@ public class MessagesServiceImpl extends BaseJdbcService implements MessagesServ
                                 ")") +
                         " AND NOT EXISTS (SELECT 1 FROM bl_tags bt WHERE bt.tag_id IN " +
                         "(SELECT tag_id FROM messages_tags WHERE message_id = m.message_id) and :visitorUid = bt.user_id)" +
-                        " AND NOT EXISTS (SELECT 1 from users u WHERE u.banned = 1 and u.id = m.user_id) ORDER BY m.message_id DESC LIMIT 20",
+                        " AND NOT EXISTS (SELECT 1 from users u WHERE u.banned = 1 and u.id = m.user_id and u.id <> :visitorUid) ORDER BY m.message_id DESC LIMIT 20",
                 sqlParameterSource,
                 Integer.class);
     }
@@ -633,7 +633,7 @@ public class MessagesServiceImpl extends BaseJdbcService implements MessagesServ
                         " AND m.attach IS NOT NULL " +
                         " AND NOT EXISTS (SELECT 1 FROM bl_tags bt WHERE bt.tag_id IN " +
                         "(SELECT tag_id FROM messages_tags WHERE message_id = m.message_id) and :vid = bt.user_id)" +
-                        " AND NOT EXISTS (SELECT 1 from users u WHERE u.banned = 1 and u.id = m.user_id) " +
+                        " AND NOT EXISTS (SELECT 1 from users u WHERE u.banned = 1 and u.id = m.user_id and u.id <> :vid) " +
                         " AND NOT EXISTS (SELECT 1 FROM bl_users b WHERE b.user_id = :vid and b.bl_user_id = m.user_id) " +
                         " ORDER BY m.message_id DESC LIMIT 20",
                 sqlParameterSource,
@@ -887,6 +887,7 @@ public class MessagesServiceImpl extends BaseJdbcService implements MessagesServ
                         "LEFT JOIN users qu ON qw.user_id=qu.id " +
                         "LEFT JOIN users mu ON m.user_id=mu.id " +
                         "WHERE replies.message_id = :mid " +
+                        "AND NOT EXISTS (SELECT 1 from users u WHERE u.banned = 1 and u.id = replies.user_id and u.id <> :uid)" +
                         "AND NOT EXISTS (SELECT 1 FROM banned WHERE banned.reply_id = replies.reply_id) " +
                         "AND NOT EXISTS (SELECT 1 FROM bl_users b WHERE b.user_id = :uid AND b.bl_user_id = m.user_id) " +
                         "ORDER BY replies.reply_id ASC",
diff --git a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
index 70555fca..c6d1bc1a 100644
--- a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
+++ b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
@@ -1303,4 +1303,20 @@ public class ServerTests {
         assertThat(messagesService.getMessage(mid).getLikes(), is(3));
         assertThat(CollectionUtils.isEqualCollection(messagesService.getMessageRecommendations(mid), Arrays.asList("fmap", "ermine")), is(true));
     }
+    @Test
+    public void bannedUserShouldNotBeVisibleToOthers() {
+        jdbcTemplate.execute("DELETE FROM messages");
+        int casualUserId = userService.createUser("user", "secret");
+        int bannedUserId = userService.createUser("banned", "banned");
+        jdbcTemplate.update("UPDATE users SET banned=1 WHERE id=?", bannedUserId);
+        messagesService.createMessage(bannedUserId, "KURWA", null, Collections.emptyList());
+        assertThat(messagesService.getAll(casualUserId, 0).size(), is(0));
+        assertThat(messagesService.getAll(bannedUserId, 0).size(), is(1));
+        int mid = messagesService.createMessage(casualUserId, "PEACE", null, Collections.emptyList());
+        User banned = userService.getUserByName("banned");
+        int bannedRid = messagesService.createReply(mid, 0, banned, "KURWA", null);
+        int casualRid = messagesService.createReply(mid, 0, userService.getUserByName("user"), "DOOR", null);
+        assertThat(messagesService.getReplies(AnonymousUser.INSTANCE, mid).size(), is(1));
+        assertThat(messagesService.getReplies(banned, mid).size(), is(2));
+    }
 }
-- 
cgit v1.2.3